KEMBAR78
Module 02 - Security | PDF | Security | Computer Security
0% found this document useful (0 votes)
398 views126 pages

Module 02 - Security

Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
398 views126 pages

Module 02 - Security

Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 126

SMB Masters Program in person series

Technical training
Name
Date
Technical Training – Day 1
Time Session Description

8.00-8.30 Breakfast / Coffee

Agenda, roundtable introductions, setting the


8.30-9.00 Session introduction
expectations for the day
Module 1 : Intro to SMB Portfolio, Cover the SMB SKU’s, M365BP Playbook, MDB
9.00-9.45
Partner Tools & Resources Playbook, Workshops

9.45-10.00 Break

Microsoft Defender for Business, Advanced

Agenda Day 1 10.00-11.45 Module 2 : Security Security, Microsoft Lighthouse, Azure AD P1,
Zero Trust, etc.
Technical training 11.45-12.15 Module 2 : Hands-on Lab Lab Security

12.15-1.00 Lunch

1.00-2.30 Module 2 : Hands-on Lab Lab Security (Continued)

Windows 365 Value Proposition and


2.30-3.30 Module 3 : Windows 365 Management, Windows 365 Business vs
Enterprise, Azure Virtual Desktop

3.30-4.00 Module 3 : Hands-on Lab Labs (Windows 365)

Optional Q&A session. Ideally with guest


4.00-5.00 Ask the Expert / Finish Labs
speakers from Microsoft or Indirect Provider
Technical Training – Day 2
Time Session Description

8.00-8.30 Breakfast / Coffee

8.30-9.30 Module 4 : Device Management Microsoft Intune and Windows Autopilot

9.30-10.30 Module 4 : Hands-on Labs Labs (Microsoft Intune, Windows Autopilot etc)

10.30-10.45 Break

Microsoft Teams, Teams Phone, Teams Rooms,


10.45-12.15 Module 5 : Productivity
Bookings, Shifts
Agenda Day 2 12.15-1.00 Lunch
Technical training 1.00-2.30 Module 5 : Hands-on Labs Labs (Microsoft Teams, Teams Phone)

2.30-2.45 Recap and Close


Technical training objectives
After this training, you as a participant will be able to….

Have ability to deploy and manage key SMB


productivity scenarios

Have ability to deploy and manage key Security and


Windows 365 scenarios Grow your partner
business through
customer acquisition
and upsell with
Have ability deploy Microsoft 365 and services
Microsoft 365
across multiple customers using Microsoft 365
Lighthouse
Technical training purpose
This technical training requires your active participation, head
to our digital learning path for more Microsoft 365 SMB sales
and technical trainings.

Grow ability to deploy key components of the


Microsoft 365 Business portfolio across
Productivity, Security and Windows 365

Learn how to successfully manage Microsoft 365


with Microsoft 365 Lighthouse multitenant
capabilities

Ask questions and get inspiration from your


peers
Participate in the Digital Masters Program!
H1 H2

Foundational sales track Hybrid work

• • Teams Phone
Partner opportunity with M365 for SMB
• • Teams Rooms
Partner GTM best practices
• • Teams Platform & Apps
Lifecycle management with Microsoft tools
• Hybrid work, Next gen Windows Experiences and Security
sessions Next gen Windows

• W365 Business VS Enterprise


Foundational technical track • Azure Virtual Desktop VS W365
• Provisioning W365
• Microsoft 365 Productivity
Seamless Security
• Microsoft 365 Security
• Windows 365
• Building Security services with the broader MSP stack
• Management with Lighthouse
• Mapping M365 BP & MDB to Security frameworks
• Integration with the Microsoft Security stack
 Phone on silent mode

 Use phone and laptop during breaks and lunch


How to maximize
your impact  Active participation in discussions
Let’s get most out
of our time  Ask your questions and be open to share
together

 Keep timings
 Your name
Intro: Let’s go
around the room  Your role
Tell us in less than 30
seconds…  What you hope to learn today
Security
 Security foundation
 Identity security
 Email protection
Security  Information governance
 Endpoint / Device security
 Bringing it all together
Security Summary
Security foundations
Cyberthreats– overview
Phishing Fraud in which an attacker masquerades as a reputable person. It’s often easier to
trick someone than to hack in.

Ransomware Malicious encryption software that blocks access to systems and demands a sum
of money to unlock.  ​An infected PC can spread the ransomware to other computers on your
network.

Fileless attacks use malicious scripts that hijack legitimate software and load malware into
memory, without saving to the file system. This makes the malware harder to detect.

Live off the land attacks use trusted software and system tools to carry out their work.
Examples are administrative shells, antivirus programs, RMM software, etc. This makes it
difficult to detect and/or determine who is behind the activity.
Perception
I am too small a business for hackers
to attack me…only large enterprises
need to worry about security…

Reality
Why should SMB “Someone was fooled by the email from the CEO and
used his Corp card to send the iTunes gift cards. We
customers care? lost about $5,000.”
—Adam A., equipment rentals, 150 employees

“The only reason we caught it was that it was a 6-digit


sales order and our sales orders are 7 digits.”
— Joe B, food distribution, 250 employees

“They got someone’s password, and sent an email to


our CFO, who sent the $40,000 wire transfer.”
— Bob K., property management, 150 employees
SMBs and Security

80% of SMBs 70% of SMBs Nearly 1 in 4


have antivirus in place, believes security is have experienced a
but 93% still have becoming more of cyber attack
Security concerns a risk
Customer need translates to partner opportunity

85%
of partners see security as biggest area of growth1 

How do we expand security How do we How do we do


services beyond basic AV? deliver services at scale? so without increasing cost?

Sources: 1Channel Futures | 2020 MSP 501 Full Report 


Zero trust
What is Zero Trust and how does it help
me protect my customer?

Name: Bob D
Role: Technical Consultant
Company: Partner
Attack surface is expanding due
to hybrid work

The increasingly
complex state of Rapid acceleration and increasing
sophistication of cybercrime
cybersecurity

Rising cost of cybersecurity


risk mitigation and remediation
Common challenges with access security today

Rapid increase of identities


Hybrid work requires Evolving regulations
(employees, partners, customers,
seamless, flexible experiences with data privacy and
digital workloads) that need to be
while keeping access secure security implications
protected

Accelerated growth of apps, on Identity attacks are on the rise— 


and off the corporate network, 921 password attacks per second¹
requiring secure access and new attack vectors (e.g., token theft)

1. “This World Password Day consider ditching passwords altogether”. May 5, 2022, Microsoft Security
Zero Trust starts with secure identities and endpoints

Data
Policy optimization

Identities

Zero Trust policy Network Apps

Endpoints
Threat Protection

Infrastructure

Monitoring and analytics


Identities and endpoints are your first line of defense

Policy optimization
of breaches involve
Identities
80% the use of lost
or stolen passwords.¹
Zero Trust policy

Endpoints
Threat Protection
60% of BYO devices are
not secured by IT.²

Monitoring and analytics

1. “Verizon 2020 Data Breach Investigations Report”


2. ”Mobile security—the 60 percent problem” Brian Peck, Zimperium, April 7, 2020
An integrated and complete solution for securing access and
identities

Secure identities and access Secure Endpoints

Microsoft Endpoint Manager


Azure Active Directory P1
Microsoft Defender for Defender
for Business
Azure Active Directory
Protect your users, apps, workloads, and devices.

• User directory
• Single sign-on to any app
• User self service

Azure AD P1
• Multifactor and passwordless authentication
• Conditional Access and Identity Protection
• Hybrid identity management
Secure access for a
• Core identity governance
connected world. • External and frontline identities
Endpoint security for Zero Trust is a team sport

Microsoft Endpoint Manager Microsoft Defender for Business


simplifies management workflows across provides visibility into endpoints accessing
cloud and on premises endpoints for Zero corporate resources, one of the first steps in
Trust security. a Zero Trust device strategy.

• Visibility and control with continuous health, • Monitor and gain visibility into configuration
compliance, and security signaling profiles while exposing security anomalies 
• Set policies and manage company and employee- • Evaluate every endpoint for risks and employ
owned device compliance granular access controls to devices
• Zero touch deployment, and non-intrusive app • Discover unmanaged and unauthorized
management supports seamless user experiences endpoints and network devices
Overview: Microsoft 365 Security offers
Two key offers for SMBs

01 02
Business Premium Microsoft Defender for Business
Comprehensive Security with device Standalone endpoint Security to protect
management and productivity customers devices and endpoints
$22 pupm $3 pupm
Microsoft Defender for Business
What is Microsoft Defender for
Business?

Name: Angela A
Role: Partner Resource
Company: Partner
Opportunity Product Reviews

90% SMBs $40B 90% customers


buy paid endpoint Global cybersecurity Say they will switch IT Top ranked AV engine 
security sales partners if they offered AV-Test etc.
better security https://docs.microsoft.com/en-us/windows/security/threat-pr
otection/intelligence/top-scoring-industry-antivirus-tests
Microsoft commissioned https://www.mckinsey.com/business-f Internal Microsoft Research
research, 2019 unctions/risk-and-resilience/our-insig
hts/securing-small-and-medium-size-
enterprises-whats-next

“fantastic feature set, given that it is just


Solution going to be in Microsoft 365 Business
Premium, considered the Gold Standard
…”, 

Global  Cross platform Microsoft 365 ….– Alex Fields, MSP Influencer,
Introducing Microsoft Defender for Business: you heard that ri
ght… it’s *included* with Business Premium – ITProMentor
181markets/ Windows, IOS,
53 languages Android, Mac1 Lighthouse, RMM . 

integration

1
iOS, and Android requires Microsoft Intune. Intune is included in Microsoft 365 Business Premium. Please see Documentation for more detail.
Microsoft Defender for Business
Elevate your security
Endpoint protection specially designed for businesses with up to 300 employees.

Enterprise-grade Easy to use Cost-effective


protection Get up and running quickly with easy, Security that just works without
Protect your devices against wizard-based onboarding. Out-of-the compromising budget.
ransomware and other box policies and automated
investigation and remediation help Available in two flexible plans as
cyberthreats with industry-leading
automatically protect you against the part of Microsoft 365 Business
Defender technologies like
latest threats, so you can focus on Premium, or as a standalone
endpoint detection and response
running your business. solution for $3 per user per month.
and threat and vulnerability
management.

Microsoft Defender for Business now generally available: https://aka.ms/DefenderforBusiness


Microsoft Defender for Business servers add-on now in preview: https://aka.ms/MDB-TechblogJuly22
Microsoft Defender
for Business
Microsoft Defender
for Business
Elevate your security

Threat & Vulnerability Attack Surface Next Generation Endpoint Detection Auto Investigation
Management Reduction Protection & Response & Remediation

Simplified Onboarding
APIs and Integration
and Administration
Delivering endpoint security across platforms

Azure Virtual Desktop

Endpoints and servers2 Mobile device OS1 Virtual desktops

1
iOS, and Android requires Microsoft Intune. Intune is included in Microsoft 365 Business Premium. 2Add-on server support now available in preview. Please see Documentation for more detail. 
Microsoft Defender
for Business is
Microsoft 365 Business Premium ($22pupm)1
Comprehensive productivity and security solution

included in Business Per user license


Licensing options
Premium Microsoft 365 Business Standard ($12.50)
Office apps and services, Teams
1

1. As standalone SKU, up to
300 users
Entitlement for use on up
Microsoft Defender Business Microsoft Defender for Business to 5 devices
($3pupm)1
Microsoft Defender for Office 365 Plan 1
Enterprise-grade 2. Included as part of
endpoint security Intune  Microsoft 365 Business
Per user license Premium, up to 300 users. 
Azure AD Premium Plan 1 
 Next generation protection Azure Information Protection Premium P1
3. Add-on Server offering
 Cross-Platform support (iOS,
Exchange Online Archiving now available in preview. 
Android, Windows, MacOS)2
 Endpoint Detection and Response Autopilot
 Threat and Vulnerability
Azure Virtual Desktop license 
Management
 …and more Windows 10/11 Business
Shared Computer Activation

1
price is subject to change based on subscription term, currency and region
2
iOS, and Android requires Microsoft Intune. Intune is included in Microsoft 365 Business Premium. Please see Documentation for more detail.
Product comparison – Endpoint security
Cross platform and enterprise grade Available as a standalone Defender for Supports multi-customer
protection with next-gen protection, endpoint security and as Business servers add- viewing of security incidents
endpoint detection and response, and part of Microsoft 365 on is now in preview with Microsoft 365 Lighthouse
threat and vulnerability management Business Premium  for partners

Customer size  < 300 seats > 300 seats


Microsoft Defender Microsoft Defender for
Endpoint capabilities\SKU Microsoft Defender for Business
for Endpoint Plan 1  Endpoint Plan 2
Centralized management   
Simplified Firewall and Antivirus configuration for Windows 
Threat and Vulnerability Management  
Attack Surface Reduction   
Next-Gen Protection   
Endpoint Detection and Response 1 
Automated Investigation and Remediation 1 
Threat Hunting and 6-months data retention 
Threat Analytics 1 
Cross platform support for Windows, MacOS, iOS 3, and Android3 clients   
(Add-on) Microsoft Defender for
Windows server and Linux server 4 4
Business server in preview
Microsoft Threat Experts 
Partner APIs    
Microsoft 365 Lighthouse for viewing security incidents across customers 2
1
Optimized for SMB. 2 Additional capabilities planned. 3Requires Microsoft Intune. Intune is included in Microsoft 365 Business Premium. 4Requires separate server license. Please see Documentation for more detail.
PRE MDB WITH MDB
Microsoft Microsoft Microsoft

Defender
365 365 Defender for
Business Business Business
Premium3 Premium3 (MDB)3

for Business eDiscovery and Audits


eDiscovery
Litigation Hold




brings enterprise grade Email Archiving • •
endpoint security to Information Rights Management •



Information Protection File classification/labeling
Microsoft 365 Business File tracking and revocation • •
Premium Message Encryption •



Data Loss Prevention Data Loss Prevention
Data App Security • •
Safe links • •
Email and Collaboration • •
Safe Attachments
Security • •
Anti-phishing
Windows device setup & management •1 •1
Device health analytics • •
Device management • •
Mobile Device Management
Mobile App Management • •
Identity and Access Risk based Conditional access • •
Management and Security Multi-factor authentication • •
Centralized management • • •
Simplified client configuration • •
1
Limited. 2
Optimized for SMB. Next-gen protection Win10 • •
Attack Surface Reduction Win101 • •
3
Microsoft Defender for Business is available in
Microsoft 365 Business Premium and as a standalone Network Protection • •
SKU. Read the blog post to learn more.
Endpoint Security Web Category blocking • •
4
iOS, and Android requires Microsoft Intune. Intune is Endpoint detection and response • •
included in Microsoft 365 Business Premium. Please Cross platform support (iOS/Android/Mac) •4 •4
see Documentation for more detail.
Automated investigation and response •2 •2
Threat and vulnerability • •
Threat intelligence •2 •2
Microsoft Security—
a Leader in 5 Gartner
Magic Quadrant reports
Access Cloud Access Enterprise
Management Security Brokers Information Archiving

*Gartner “Magic Quadrant for Access Management,” by Henrique Teixeira, Abhyuday Data, Michael
Kelley, November 2021
*Gartner “Magic Quadrant for Cloud Access Security Brokers,” by Craig Lawson, Steve Riley, October
2020
*Gartner “Magic Quadrant for Enterprise Information Archiving,” by Michael Hoech, Jeff Vogel, October
2020
*Gartner “Magic Quadrant for Endpoint Protection Platforms,” by Paul Webber, Rob Smith, Prateek
Bhajanka, Mark Harris, Peter Firstbrook, May 2021
*Gartner “Magic Quadrant for Unified Endpoint Management,” by Dan Wilson, Chris Silva, Tom Cipolla,
August 2021

These graphics were published by Gartner, Inc. as part of larger research documents and should be
evaluated in the context of the entire documents. The Gartner documents are available upon request from
Microsoft. Gartner does not endorse any vendor, product or service depicted in its research publications,
and does not advise technology users to select only those vendors with the highest ratings or other
designation. Gartner research publications consist of the opinions of Gartner’s research organization and
should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with Endpoint Unified Endpoint
respect to this research, including any warranties of merchantability or fitness for a particular purpose.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and Protection Platforms Management
internationally, and is used herein with permission. All rights reserved.
Microsoft the only
Leader in IDC
MarketScape
for Modern Endpoint
Security for Enterprise
and Small and Midsize
Businesses

IDC MarketScape: Worldwide Modern Endpoint Security for Small and Midsize
Businesses 2021 Vendor Assessmenthttps://idcdocserv.com/US48304721
IDC MarketScape vendor analysis model is designed to provide an overview of the
competitive fitness of information and communication technology (ICT) suppliers in
a given market. The research methodology utilizes a rigorous scoring methodology
based on both qualitative and quantitative criteria that results in a single graphical
illustration of each vendor’s position within a given market. The Capabilities score
measures vendor product, go-to-market, and business execution in the short term.
The Strategy score measures alignment of vendor strategies with customer
requirements in a three to five-year timeframe. Vendor market share is represented
by the size of the icons.

Microsoft named a Leader in IDC MarketScape


for Modern Endpoint Security for Enterprise and Small and Midsize Business
es - Microsoft Security Blog
Simplified Onboarding and
Administration

Wizard-driven onboarding and


easy to use management controls

Onboard new Windows devices in a


1
few simple steps

Recommended security policies


2
activated out-of-the-box

Action-oriented dashboard help


3
prioritize tasks

iOS, and Android requires Microsoft Intune. Intune is included


in Microsoft 365 Business Premium. Please see Documentation
for more detail.
Threat & Vulnerability
Management

A risk-based approach to mature your


vulnerability management program

1 Continuous real-time discovery

2 Context-aware prioritization

3 Built-in end-to-end remediation process


Extensive vulnerability assessment across the entire stack
Continuous real-time discovery

Easiest to exploit

Application extension vulnerabilities


Application-specific vulnerabilities that relate to component within the application.
For example: Grammarly Chrome Extension (CVE-2018-6654)

Application run-time libraries vulnerabilities


Reside in a run-time libraries which is loaded by an application (dependency).
For example: Electron JS framework vulnerability (CVE-2018-1000136)

Application vulnerabilities (1st and 3rd party)


Discovered and exploited on a daily basis.
For example: 7-zip code execution (CVE-2018-10115)

OS kernel vulnerabilities
Becoming more and more popular in recent years due to OS exploit mitigation controls.
For example: Win32 elevation of privilege (CVE-2018-8233)

Hardware vulnerabilities (firmware)


Extremely hard to exploit, but can affect the root trust of the system.
For example: Spectre/Meltdown vulnerabilities (CVE-2017-5715)

Hardest to discover
Broad secure configuration assessment
Continuous real-time discovery

Operation system misconfiguration Application misconfiguration


File Share Analysis Least-privilege principle
Security Stack configuration Client/Server/Web application analysis
OS baseline SSL/TLS Certificate assessment

Account misconfiguration Network misconfiguration


Password Policy Open ports analysis
Permission Analysis Network services analysis
Helping customers focus on the right things at the right time
Threat & Business Prioritization (“TLV”)

Threat Landscape

T Vulnerability characteristics (CVSS score, days vulnerable)


Exploit characteristics (public exploit & difficulty, bundle)
EDR security alerts (Active alerts, breach history)
Threat analytics (live campaigns, threat actors)

10 Breach Likelihood

L Current security posture


Internet facing
Exploit attempts in the org

Business Value

V HVA analysis (WIP, HVU, critical process)


Run-time & Dependency analysis
Attack Surface Reduction

Protect against risks by reducing


the surface area of attack

1 System hardening without disruption

2 Customization that fits your business

3 Visualize the impact and simply turn it on


HW based isolation

Application control Isolate access to untrusted sites

Attack Surface
Isolate access to untrusted Office files
Exploit protection
Host intrusion prevention
Reduction Network protection
Exploit mitigation
Controlled folder
Resist attacks and exploitations access Ransomware protection for your files

Block traffic to low reputation destinations


Device control
Protect your legacy applications
Web protection
Only allow trusted applications to run
Ransomware
protection
Attack Surface Reduction (ASR) Rules
Minimize the attack surface
Attack surface reduction (ASR) rules help to control entry points to your Windows devices using
cloud intelligence, such as behavior of Office macros.

Productivity apps rules Script rules


• Block Office apps from creating executable content • Block obfuscated JS/VBS/PS/macro code
• Block Office apps from creating child processes • Block JS/VBS from launching downloaded executable content
• Block Office apps from injecting code into other processes
Polymorphic threats
• Block Win32 API calls from Office macros
• Block executable files from running unless they meet a
• Block Adobe Reader from creating child processes prevalence (1000 machines), age (24hrs), or trusted list criteria
• Block untrusted and unsigned processes that run from USB
Email rule
• Block executable content from email client and webmail • Use advanced protection against ransomware

• Block only Office communication applications from Lateral movement & credential theft
creating child processes
• Block process creations originating from PSExec and
WMI commands
• Block credential stealing from the Windows local security
authority subsystem (lsass.exe)
• Block persistence through WMI event subscription
Web content filtering configuration
Next Generation Protection

Helps block and tackle sophisticated


threats and malware

1 Behavioral based real-time protection

2 Blocks file-based and fileless malware

Stops malicious activity from trusted


3
and untrusted applications
Microsoft Defender for Business next generation protection engines

Metadata-based ML Behavior-based ML AMSI-paired ML File classification ML Detonation-based ML Reputation ML Smart rules


Stops new threats Identifies new threats with Detects fileless and Detects new malware by Catches new malware Catches threats Blocks threats using
quickly by analyzing process trees and in-memory attacks running multi-class, deep by detonating with bad reputation, expert-written rules
metadata suspicious behavior using paired client and neural network classifiers unknown files whether direct or
sequences cloud ML models by association

Cloud

Client

ML Behavior monitoring Memory scanning AMSI integration Heuristics Emulation Network


Spots new and Identifies malicious Detects malicious code Detects fileless and Catches malware variants Evaluates files based monitoring
unknown threats behavior, including running in memory in-memory attacks or new strains with on how they would Catches malicious
using client-based suspicious runtime similar characteristics behave when run network activities
ML models sequence
Innovations in Fileless Protection
Type III
Files required to achieve LNK,
fileless persistence Docs Scheduled
Task, Exe
Dynamic and in context URL analysis Java Docs
to block call to
malicious URL Flash
MBR
VBR
AMSI-paired machine learning uses
pairs of client-side and cloud-side
models that integrate with Exe Service

Antimalware Scan Interface (AMSI) to Taxonomy of


perform advanced analysis
of scripting behavior
Remote
attacker
fileless threats Registry
WMI Repo

DNS exfiltration analysis Network


card, Shell
Type II
Deep memory analysis Hard disk No file written
on disk, but some
Circuitry files used indirectly
backdoors Hypervisor
IME Mother-
Type I BadUSB board
No file activity firmware
performed
Microsoft Defender for Business’ NGP protection pipeline

Malware Highly stealthy threats


encounter

MALWARE

Big data
Detonation
Automatically
Sample Suspicious files classify threats
are executed in based on signals
Cloud Suspicious files a sandbox for across Microsoft
metadata uploaded for dynamic analysis
Client inspection by
ML-powered multiclass, deep
Heuristics, cloud rules
behavior, and neural network
local ML models classifier
Dynamic: behavior monitoring

Monitors activity on: Heuristics can:


Files Detect sequences of events
E.g. a file named “malware.exe” is created
Registry keys
Inspect event data
Processes E.g. an AutoRun key is created and contains “malware.exe”

Network (basic HTTP inspection) Correlate with other static signals


E.g. “malware.exe” has an attribute indicating it is a
… and few other specific activities DotNet executable

Perform some basic remediation


E.g. delete “malware.exe” if the BM event reported infection

Request memory scan of running processes


Endpoint Detection &
Response

Detect and investigate advanced


persistent attacks

1 Behavioral-based detection

2 Manual response actions for a device or file

3 Live response to gain access to devices


Incidents
Narrate the end-to-end attack story

Reconstructing the story


The broader attack story is better described
when relevant alerts and related entities are
brought together.

Incident scope
IT Admins receive better perspective on the
purview of complex threats containing
multiple entities.

Higher fidelity, lower noise


Effectively reduces the load and effort required
to investigate and respond to attacks.
Live Response
Real-time live connection to a remote system
Leverage Microsoft Defender for Business
Auto IR library (memory dump, MFT analysis,
raw filesystem access, etc.)
• Extended remediation command + easy undo

Full audit
Extendable (write your own command, build
your own tool)
RBAC+ Permissions
Git-Repo (share your tools)
Threat Analytics
Delivering insight on major threats to your organization

Threat to posture view


See how you score against significant and
emerging campaigns with interactive reports.

Identify unprotected systems


Get real-time insights to assess the impact
of the threat on your environment.

Get guidance
Provides recommended actions to increase
security resilience, to prevention, or contain
the threat.
Auto Investigation &
Remediation

Automatically investigates alerts and


helps to remediate complex threats

1 Mimics the ideal steps analysts would take

2 Tackles file or memory-based attacks

Scales security operations with 24x7


3
automated responses
What Is Microsoft Defender for Business Auto IR?

Security automation is… Security automation is not…


mimicking the ideal steps a human would take if machine has alert  auto-isolate
to investigate and remediate a cyber threat

When we look at the steps an analyst is taking as when investigating


and remediating threats we can identify the following high-level steps:

1 2 3 4
Determining Performing Deciding what Repeating this as many
whether the threat necessary additional investigations times as necessary
requires action remediation actions should be next for every alert 
Auto investigation queue
Investigation graph
Partner APIs - Connecting with the platform
Microsoft Defender for Business
Elevate your security

Threat & Vulnerability Attack Surface Next Generation Endpoint Detection Auto Investigation
Management Reduction Protection & Response & Remediation

APIs and Integration

Devices Reporting Apps SIEM Data Tools


Defender for Business servers
now in preview
Add-on Windows and Linux server protection
to Defender for Business or Microsoft 365
Business Premium*

Same protection for both clients and servers


1
with a single simplified admin experience.

2 Multi-customer management with Microsoft


365 Lighthouse integration

3 $3 per server instance at time of general


availability 

Get the preview at https://aka.ms/DefenderforBusiness    ​

Learn more from the https://aka.ms/MDB-TechblogJuly22 


*Add-on requires a minimum of one Microsoft 365 Business Premium, or Defender
Built on the foundation of an industry leader in endpoint security
Gartner names Microsoft a Leader in
Microsoft leads in real-world detection
2021 Endpoint Protection Platforms
in MITRE ATT&CK evaluation.
Magic Quadrant.

Forrester names Microsoft a Leader Microsoft Defender for Endpoint


in 2021 Endpoint Security Software as a awarded a perfect 5-star rating by SC
Service Wave. Media in 2020 Endpoint Security Review

IDC names Microsoft a Leader for Microsoft won six security awards with
Modern Endpoint Security for Enterprise Cyber Defense Magazine at RSAC 2021:
and Small and Midsize Businesses
Best Product Hardware Security
Market Leader Endpoint Security
Our antimalware capabilities Editor's Choice Extended Detection and Response (XDR)
consistently achieve high scores Most Innovative Malware Detection
in independent tests. Cutting Edge Email Security
Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization
and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. The Gartner content described herein (the “Gartner Content”) represent(s) research opinion or
viewpoints published, as part of a syndicated subscription service, by Gartner, Inc. ("Gartner"), and are not representations of fact. Gartner Content speaks as of its original publication date (and not as of the date of this [type of filing]), and the opinions expressed in the Gartner Content are subject to change
without notice. GARTNER and MAGIC QUADRANT are registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved

The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester Research, Inc. The Forrester Wave™ is a graphical representation of Forrester’s call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and
comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave™. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.
IDC MarketScape: Worldwide Modern Endpoint Security for Enterprises 2021 Vendor Assessment, Doc #US48306021. November 2021 ​
Microsoft Defender
consistently rated top AV

1 AV-TEST: Protection score of 6.0/6.0


in the latest test

AV-Comparatives: Protection rating of


2
99.7% in the latest test

3 SE Labs: AAA award in the latest test

https://docs.microsoft.com/en-us/window

4 MITRE: Industry-leading optics and s/security/threat-protection/intelligence/to


p-scoring-industry-antivirus-tests
detection capabilities
Microsoft 365 Business Premium
What security features are there in
Microsoft 365 Business Premium?

Name: Adele V
Role: Partner Resource
Company: Partner
Microsoft 365 Business Premium
One solution to run your business securely, from anywhere

Collaborate in Enable secure access to Protect against Secure company


real time work apps cyberthreats and owned and personal
safeguard data devices
Microsoft 365 Business Premium
Your path to increasing profitability

Meet customer needs for increased security

Manage with ease with Lighthouse/RMM

Standardize on one solution across the SMB stack

Create ongoing revenue with managed services

“Since basing a managed service offering on


Microsoft 365 Business Premium, profitability
per employee has shot up by 250 percent.”
-- Martin Liljenberg: CTO and Cofounder, WeSafe
Microsoft 365 Business Premium
Comprehensive security and productivity solution, designed for businesses
with 1-300 employees

Collaborate in Enable secure access Defend against Easily secure and


real time and protect identity cyberthreats and data loss manage devices

”Having a best-in-class platform like Microsoft 365 addresses multiple challenges in


one go, something that was missing earlier. Today, I can say that we have all the tools
in place for significantly improving business productivity and collaboration while
providing a much higher level of security.”
—Praveen Vashishta, Chairman and CEO at Howden India
Today’s sophisticated attacks call for Layered security

Microsoft 365 Business Premium

Identity Security Device Security Application Security Document Security

User Device Application Document

10 Pro

Azure AD features like MFA Full Centralized Management of Restrict copy/paste/save corp data Azure Information Protection
Mobile and Laptops with Intune to personal apps using Intune App protects, classifies Documents for
Self Service Password Reset Protection Policies secure sharing including in Teams
Remote wipe of data of lost &
Conditional Access stolen devices Defender for Office 365 for Revoke access to Documents
protection against malware and
Dynamic Groups BitLocker Encryption zero day attacks Track Sensitive documents

Enforce Strong Pin requirements Data Loss Prevention to monitor


along with Wi-Fi, VPN profiles sensitive data from being
transmitted
Microsoft Defender for Business
Email restrictions like “Do Not
Forward” or “Encrypt Email”
Enable secure access from anywhere and
protect identity
Start with securing identity and access

Protect against lost Secure access to Enable remote


and stolen passwords work apps desktop access
Enable remote desktop access
with Windows Virtual Desktop

Deliver the only multi-session Windows 10 experience


that’s highly scalable and stays up to date

Enable optimizations for Office

Migrate RDS desktops and apps and simplify licensing


and reduce costs

Deploy and scale in minutes. Manage with u


​ nified admin
interface in Azure Portal ​

Support any end-user device platform including Windows,


Android, Mac, iOS, and HTML 5
Protect against cyber threats and data loss
Defend against cyberthreats and safeguard business data

Protect users against Safeguard confidential Get visibility into


cyberthreats like phishing business data cloud app use
Protect against cyberthreats with Microsoft Defender for Office 365

Protect against malicious links in email or Teams with real time


scanning using Microsoft Defender for Office 365 Safe Links

Get AI-powered malware scanning for attachments in email


and shared document links in Teams and OneDrive with Safe
Attachments

Defend against impersonation and spoofing


with anti-phishing

Get better protection on Windows devices against suspicious


processes like ransomware with Microsoft Defender AV
Safeguard business data with DLP and Azure Information Protection

Prevent sharing of sensitive information like credit


card numbers using preconfigured DLP policy
templates for HIPAA, PCI_DSS, SSN etc  

Control whether an email can be forwarded,


printed, or viewed by non-employees.

Control whether a document can be edited,


printed, or viewed by non-employees. You can
also revoke access.
Get visibility into cloud app use with Cloud App Discovery

Discover cloud app usage to understand


shadow IT risk

Understand the security of your cloud apps


with risk assessment for 16,000+ cloud apps 

Understand usage patterns and identify high


risk users. Export data for additional analysis

Prioritize applications to bring under IT


control and integrate applications to enable
single sign-on and user management
Check your Secure Score

The problem:
You want to improve your customer’s
security, but don’t know where to start
The solution:
Check Microsoft Secure Score

What it is:
Microsoft Secure Score analyzes your
Microsoft 365 overall security and assigns a
score. Secure Score also recommends next
steps to consider in order to improve security.
How to access:
http://securescore.microsoft.com
Exercise: Complete the setup wizard & check
O365 SecureScore
Pop quiz

01
As we progress through the lab
exercises our Secure Score
should go up. When should we
expect to see changes reflected
in Secure Score?
YES NO
Immediately Tomorrow
M365 Security at a glance
Set up tenant
Configure identity protection
Configure endpoint protection
Configure email protection
Corporate data containment
Advanced Security
Device management & security
Secure remote access

Checklist: https://aka.ms/smbchecklist
How to use the checklist

Review the guidance


Download the checklist
Determine your customer’s risk scenario
• Typical customer
• Higher risk / lower tolerance for risk

Checklist: https://aka.ms/smbchecklist
Securing identities with Azure AD P1
How can I secure identities with Azure
AD P1?

Name: Bob D
Role: Partner Resource
Company: Partner
Azure Active Directory
Protect your users, apps, workloads, and devices.

• User directory
• Single sign-on to any app
• User self service

Azure AD P1
• Multifactor and passwordless authentication
• Conditional Access and Identity Protection
• Hybrid identity management
Secure access for a
• Core identity governance
connected world. • External and frontline identities
Enforce Multi-factor authentication
Verify user identities with strong authentication

Including passwordless technology

Microsoft Windows FIDO2 Biometrics


Authenticator Hello Security key

Multi-factor
We support a broad authentication
Push Soft Hard SMS,
range of multi-factor Notification Tokens OTP Tokens OTP Voice prevents 99.9%
authentication options of identity attacks¹

1. “Your Password Doesn’t Matter” July 2019, Microsoft Tech Community Research Article
Secure access to work apps – with Azure Active Directory
Azure AD Premium P1 is now included with Microsoft 365 Business Premium

Enable your employees to remotely


access on-premises apps without
opening broad access to your network
with App Proxy1

Control “where, when and who”


connects to Office apps with
Conditional Access

Automatically add/remove users to


security groups and reduce IT
overhead with Dynamic Groups
Set up identity security with MFA

The problem: The solution:


Passwords are vulnerable 1 Multi-factor authentication (MFA)
• 90% of passwords can be cracked in MFA is enabled by default any Microsoft 365 customer
less than six hours 1 using security defaults
• Two-thirds of people use the same Partners should enable MFA for Microsoft 365 Business
password everywhere 1 Premium customers by using conditional access policies
• Criminals are getting more effective in Partners should use passwordless MFA authentication
stealing passwords through phishing methods when possible
and social engineering

1
https://secureswissdata.com/two-factor-authentication-importance/
Protect resources with Conditional Access
Configure adaptive access policies based on context and risk

Signals Verify every access attempt Apps and data

User and location Device Allow access

Require MFA

Limit access

Application
Real-time risk Password reset

Monitor access
Enable remote access to apps

Conditional access and identity protection


Real-time risk-based access control
Microsoft cloud
Azure AD Conditions Controls
ADFS 171TB
MSA

Google ID
Employee and partner Allow/block
users and roles access

Android Microsoft cloud app


Machine
learning 3 Limited security
iOS
Trusted and access
MacOS compliant devices Session
Windows Risk
Microsoft
Defender ATP Real-time Require
evaluation MFA
engine Cloud SaaS apps
Geo-location
Effective
Corporate Physical and Force
virtual location Policies policy
network ***** password
reset

Client apps and


Browser apps auth method Block legacy
authentication
Client apps
On-premises and web apps
Exercise: Enable MFA with conditional access
& self service password reset
Pop quiz

02
Can I use Security Defaults to
enable MFA if my customer
also requires Conditional
Access policies?

YES NO
Use Conditional Access for MFA
Do not enable MFA on a per user basis
Always exclude an admin account from the policies to ensure
Best practices you can correct a mistake
Start with one target group of users
Ensure your users know what to expect
Test your policies before rolling out
Enable SSPR in Azure AD
Create an Conditional Access Exclusion group
Enable common conditional access policies
• Block Legacy Authentication
• Require MFA for admins
Common tasks • Require MFA for all users
• Secure security info registration
• Block access by location
• Require compliant devices
Password hash sync

Sync Agent

Microsoft
Azure AD Active
Directory

Enable cloud authentication


Flexible options based on your situation
On-premises
apps

SaaS apps

No real-time on-premises dependency


or new infrastructure needed.
Securing Email
How can I secure my customer’s e-mail
solution?
Name: Megan B
Role: Partner Resource
Company: Partner
Exchange Online Protection (EOP)
Blocks commodity spam and malware

Transport Rules
Block auto-forward
Add warnings

The basics DNS records


MX, SPF, DKIM, & DMARC

Defender for Office 365


Analyzes email & files for anything suspicious

EOP & Defender for Office 365


Does not address endpoint or network security
Exchange Online Protection (EOP)
Blocks commodity spam and malware

Email Protection Transport Rules


Block auto-forward
Add warnings
DNS records
The basics MX, SPF, DKIM, & DMARC
Exercise: Enable Email authentication (SPF,
DKIM, and DMARC)
Defender for Office 365
The basics Analyzes email & files for anything suspicious
Safe Attachments

Set policies to identify if email attachments are


malicious
Catch identified threats in corporate mail before
they reach the inbox
Extend protection to files in SharePoint Online,
OneDrive for Business, and Microsoft Teams
View ATP reports in the Office 365 Security and
Compliance Center dashboard
How it works: Email attachments are opened and
tested in a virtual environment. If malicious, the
attachment is blocked. Protection also applies to
attachments shared via SharePoint Online,
OneDrive or Teams.
Safe Links & URL Detonation

Prevent users from being compromised


by files linked to malicious URLs

Safe Links policy can allow users to bypass


warnings and enable tracing

How it works :Each time a user clicks on a


URL, the link is checked by ATP Safe Links
before redirecting to the website.
How it works:
An array of techniques, updated as threats evolve, help block
sophisticated impersonation attempts.
Advanced Anti-phishing
• Detection of forgery of the 'From: header’
• Understanding the history of the source’s email infrastructure
What it is: • Machine learning algorithms that understand a user’s normal
patterns of contact with others
Mitigation against spoofing attacks /
forged domains Emails may be blocked, sent to junk mail, quarantined, or have a
Safety Tips displayed
Identifies senders that fail
authentication
Examples:
Cóntoso.com instead of Contoso.com
meganb@conotos.com instead of meganb@contoso.com)
Exercise: Using pre-set policies:
Enable Safe Attachments, enable Safe Links
and enable Anti-Phishing
Protecting against data loss
How can I protect my customer from
data loss?
Name: Bob D
Role: Technical Consultant
Company: Partner
Safeguard business data with DLP and Azure Information Protection

Prevent sharing of sensitive information like credit


card numbers using preconfigured DLP policy
templates for HIPAA, PCI_DSS, SSN etc  

Control whether an email can be forwarded,


printed, or viewed by non-employees.

Control whether a document can be edited,


printed, or viewed by non-employees. You can
also revoke access.
Get visibility into cloud app use with Cloud App Discovery

Discover cloud app usage to understand


shadow IT risk

Understand the security of your cloud apps


with risk assessment for 16,000+ cloud apps 

Understand usage patterns and identify high


risk users. Export data for additional analysis

Prioritize applications to bring under IT


control and integrate applications to enable
single sign-on and user management
Information Understand your data landscape and identify
important data across your hybrid environment
Protection &
Governance
KNOW
Protect and govern data YOUR DATA
– wherever it lives

Apply flexible protection Automatically retain,


actions including PROTECT GOVERN delete, and store
encryption, visual data and records in
markings and DLP
YOUR DATA YOUR DATA compliant manner

Powered by an intelligent platform


Unified approach to automatic data classification, policy
management, analytics and APIs
Protect and control your data and documents

Encrypt Apply restrictions Protect against Archive


email to email and data leaks email data
documents
Encrypt emails

The problem:
Sensitive information is sometimes sent via email
The open nature of email systems means this information is
at risk of being read by unauthorized people

The solution:
Encrypt email sent from Microsoft 365 Business, so only
the intended recipient can access it.
Email encryption

What it is: How it works:


Azure Information Protection The message text and all attachments are encrypted.
provides easy-to-use email
encryption capabilities for sending Only the recipient can decipher the message for reading.
encrypted email Anyone else who tries to open the email sees indecipherable text.

Basic encryption on be default Identity verification:


The way the recipient verifies their identity depends on their
email system:
• For Office 365 users, authentication happens automatically
• Google, Yahoo, or Outlook.com/Hotmail users sign in with
their Google, Yahoo, or Microsoft account
• All others sign in with a one-time passcode
Protect your data using sensitivity labels

Customizable Manual or Automated Labels

Persists as container Apply to content or


metadata or file metadata containers

Label data at rest, data in use,


Readable by other systems
or data in transit
CONFIDENTIAL

Determines DLP policy based Enable protection actions


on labels based on labels

Seamless end user experience


Extensible to partner solutions
across productivity applications
Sensitivity Labels

What it is:
Azure Information Protection helps an
organization to classify protect its
documents and emails, either by
restricting the ability to forward and print,
or by applying labels.
Protect and control your data and documents

Encrypt Apply restrictions Protect against Archive


email to email and data leaks email data
documents
Protect against accidental data leaks

The problem:
It is difficult and unrealistic to expect employees to
manually check every email or document shared for
sensitive information before sharing files outside the
company.

The solution:
Enable Data Loss Prevention (DLP) policies to automatically
identify sensitive information and inform users before
sharing this data externally.
Data Loss Prevention

DLP Policy Templates:


DLP comes with templates to save you the work of building a
new set of rules from scratch.
You can modify these requirements to fine tune the rule to
meet your organization's specific requirements.
Examples of DLP policy templates:
• HIPAA data
• PCI-DSS data
• Gramm-Leach-Bliley Act data
• Locale-specific personally identifiable information
Long-term preservation of email

The problem:
After an employee leaves, you may need to access to
emails they sent or received.
Or, your company may have a policy of retaining email for
a period of time, such as 7 years, to meet regulatory
requirements

The solution:
Utilize the capabilities of Exchange Online Archiving to
archive and preserve email and other relevant information.
Archiving
(In-place hold) How it works:
You can use In-Place Hold to accomplish the following
What it is: goals:
In-Place Hold and Litigation Hold, • Enable users to be placed on hold and preserve mailbox
part of Exchange Online Archiving, items immutably
can help companies preserve • Preserve mailbox items deleted by users or automatic
electronically stored information deletion processes
that could be relevant to a pending
• Protect mailbox items from tampering, changes by a user,
or current legal case. or automatic processes
• Preserve items indefinitely or for a specific duration
Additionally, you can:
• Preserve the entire mailbox of an employee who leaves or
is terminated
• Use In-Place eDiscovery to search mailbox items, including
items placed on hold
Security summary
Resources
All content that is linked through out this document can be found at these sites.

Microsoft 365 Business Premium Partner Playbook ( aka.ms/m365bppartnerplaybook):


The place to answer all your questions on the product and what is included from a licensing perspective.

Microsoft Defender for Business Partner Kit (aka.ms/mdbpartnerkit):


The place to get deep dive information on core SMB partner opportunities including partner playbooks, customer
marketing material & tele sales scripts.

Microsoft 365 Business Partner Page (https://www.microsoft.com/microsoft-365/partners/business):


The one stop show for all product content related to Microsoft 365 Business, including product pitch material,
licensing and deployment kits.

Microsoft SMB Tech Community (aka.ms/smbtc): 


Forum for technical discussion & questions. The place for the experts.
Practical security resources

Microsoft Secure Score


https://securescore.microsoft.com

Microsoft 365 Business Premium security guide


https://aka.ms/m365bpguide

IT ProMentor CIS based Security Assessment tool


https://www.itpromentor.com/cis-controls-4m365
Security Lab

You might also like